One possible approach is by WMI. WMI provides the
Win32_Service class which you can query in Splunk. then search upon the results.
I use this in
wmi.conf to collect WMI information about running services so I can alert when a service that is expected to be running isn't.
[WMI:Services] interval = 60 disabled = 0 index = default wql = select Name, ProcessId, Caption, DisplayName, State, Status, StartName, SystemName from Win32_Service
Yes, you will need to make a .conf file to support this. What I provided is basically data capture. It will give you, every minute, a list of all of the NT services and their current state (Running, Stopped, Starting, etc). Doesn't care what the service is or what it does. From there, it's up to you to make a search that searches on the services you care about and their correct status.
How do we limit to certain services? The volume of data is fairly huge with nearly 200 services on my servers. Killing my index volume. I really only care about a handful of the services.
Unfortunately there is no whitelist or blacklist available for WinHostMon so it monitors all services and indexes the data for all.
The "where" clause noted below will only limit the results after indexing.
I found that using the WinHostMon sourcetype works better as the WMI sourcetype stopped reading after it encountered a space in the name of the service. It was also dedupping any services that had the same word before the space. WinHostMon reports correctly.
Here is the code I used:
index="windows" sourcetype="WinHostMon" source=service earliest="-24h@h" latest="now" | stats latest(State) AS Status by host DisplayName | rename DisplayName AS "Display Name"
Hope that helps.